Updated on 13 Nov 2008: Made some minor corrections .Updated on 25 Nov 2008: Made some more minor corrections .

Hi!

This is my first howto ever! First of all I would like to advise that all the work has been done by others and all the credits are for them. This howto is just a little summary for those who get confused...or are too lazy Please, check the links at the end of the post. The intro is mine, but almost all the steps of the howto are based on them.

I hope many people would find it useful. I think that if you install Ubuntu with the alternate cd, it gives you the possibility of encrypting the root filesystem. But if you use the desktop cd (the LiveCD like Mint's one) you don't have this option, and you can only encrypt a folder onto your /home after installation. Fedora also lets you encrypt the whole system during installation...but we want to install Mint, didn't we?

Some people thinks encryption is not necessary for the average user, but that's not true. If you lose your laptop, or if anyone stoles it, the personal information (yes, last picnic pics included ) on it can be used against you. Sometimes we don't realise that we don't protect some personal information at all. Think of it, how many times do you let your browser store your passwords so you don't have to remember them? Is the one for accessing your bank's webpage included? If someone uses your browser and "accidentally" gets to one of these webpages...dangerous, huh? Well, maybe I'm getting paranoic...

Anyway, encryption is not the holy grail...specially while the computer is running. Encryption will lock your computer and if anyone gets physical access to your computer, it is possible to take the hard drive and connect it to another computer but, if the cipher is good and the password is strong enough, it will take years to decrypt it.

OK, here is the recipe...I don't want to scare you. It has been tested on Felicia RC1, but it should work in older releases. It will also work if you are dual-booting and also if you have your windows partition encrypted with Truecrypt (Truecrypt bootloader can chainload partitions).

1 - First of all, make a backup of your data. Then, boot your Mint LiveCD. Make sure you have Internet connection, we need to install a package. Once at the desktop, type on a terminal (press Alt+F2 and type "xterm"):

Change sda for the name of the hard disk you want to use. Use sudo if needed. It can take hours because random data has to be "prepared"...so you can use /dev/zero, which will fill it with zeros instead of random data:

4 - It's time to encrypt / and /home partitions. Change XX to the correct parameters as needed and, please, CHECK THEM TWICE...i've lost my data lots of times... Also, don't use the same password for both partitions. If you want, use a shorter password for your /home partition. If you are afraid of forgetting them, use a sentence from a film, or a verse from a song...whatever lets you remember them without having to write them on paper (NEVER do this). Passwords should also be hard to guess, your name, your birthday or names/birthdays from your family do not work here

Remember, /boot is not going to be encrypted. And the swap partition will be "dynamically" encrypted. I mean, we will configure cryptsetup to execute the command above on every boot, so swap will have a random key...so, dd it!

5 - Now we have two encrypted containers. One in /dev/sda3 and one in /dev/sda4. Once finished, we must open them in order to format them. In our example:

7 - Install as normal. When the installer asks you for partitioning, select "Manual". In our example we should set mountpoints like this:

/dev/mapper/croot //dev/mapper/chome /home/dev/sda1 /boot

Do nothing with /dev/sda2, /dev/sda3, /dev/sda4. If you have windows partitions or other like /usr, /var, ... mount them as normal (If you want /usr, /var, to be encrypted proceed as for / and /home).

Note for Truecrypt users: If you have your windows system partition encrypted with Truecrypt, remember to install grub to /boot. To do this, click "Advanced" on the last step of the installer and type /dev/sdXX (your /boot partition) on the "Install grub to..." field. On our example, we would type /dev/sda1.

Click "Install", and let it be.

8 - Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more.

Ah! And I forgot to mention that, if you want an extra piece of paranoia, you can create a file container with Truecrypt in your /home folder (or use the Ubuntu ~/Private method) and store important files there. But that's only for super-paranoic people

Hi and thanx for a good how to, I worked for me out of the box, aside from a couple of places where I neede to use sudo where it wasnt indicated. But I have a small problem, I have my system set up on a external usb drive and to get a consistent boot I had to label the partitions and use those when passing the boot options in grub, cos grub was very unconsistent with if it like /dev/sdb or /dev/sdf for the partitions and I have no idea why it like sometimes one over the other, but I solved that with labeling them. Now after using your guide I succesfully managed to encrypt my system but I dont get a consistent boot, Is there a way of getting a partition label to work with this?

Nice, straight forward how-to. It is something that is desired by many and will be appreciated.

I would like to comment on whole system encryption in general however. What on your hard drive merits encryption? There is certainly nothing secret that merits protection about the Linux OS. After-all, It can be downloaded for free. Nothing there to bother protecting, is there? The sensitive data you have on your system is what merits protection.

On a Windows system you need to encrypt the whole system because data is scattered all over the system. Linux on the other hand is structured differently. All data is located in the user's home directory. Or preferably on a different partition and just mounted in /home, /media, or /mnt.

On a Linux system it is pretty much impossible to maintain plausible deniability with whole system encryption. Don't you think it would look a little odd to have a computer with only a /boot partition showing on it?

Actually, I think it would be a more secure setup to have your Linux OS unencrypted, with encrypted containers containing your sensitive data that you could mount in your file system. That way it would look like a normal working system but nothing of interest would be available. You would have plausible deniability that there was anything else there at all, or encryption was even being used.

Just another point of view.

Fred

Insanity: Doing the same thing over and over and each time expecting a different result.

Democracy is 2 wolves and a lamb voting on the menu. Liberty is an armed lamb protesting the electoral outcome. A Republic negates the need for an armed protest.

That is a very interesting point and I agree, but if you just have for example the / and /home on separate partitions and you would just encrypt the /home partition then you might have sensitive data on the /tmp directory which is on the /. I guess you could just have 3 partitions /, /tmp and /home and encrypt /tmp, /home and swap. Right? That would I guess solve my probem described above

None of your user data would ever windup in /tmp or /var/tmp. Log files and system work files are generally all that is found there. If you are concerned about something ending up in a /tmp or /var/tmp that would give away that you are using encryption, there is an easy solution.

tmpfs /tmp tmpfs size=512M,mode=1777 0 0

tmpfs /var/tmp tmpfs size=512M,mode=1777 0 0

tmpfs /var/log tmpfs size=512M,mode=1777 0 0

Put the above in your /etc/fstab file and you will be using RAM for these files. When you turn the system off all traces of your session activity will be gone.

You might want to Google and learn a little bit about tmpfs and how it works.

Fred

Insanity: Doing the same thing over and over and each time expecting a different result.

Democracy is 2 wolves and a lamb voting on the menu. Liberty is an armed lamb protesting the electoral outcome. A Republic negates the need for an armed protest.

This works great, however, if you have a laptop and you want to use hibernate to disk, you can't because the swap partition is encrypted with a random key. However, I found another howto at http://www.c3l.de/linux/howto-completly ... y-eft.html which helped me figure out how to do fix this. Basically you make the swap partition like you do the other paritions with a passphrase but there are a few wrinkles

first thing to do is to turn off the cswap with the randomized key and then recreate it with a passphrase:

Hello there and thanks for this guide, it worked like a charm on my Mint Gloria 7 x64 installation, except that I had to use the aes-x86_64 module instead of the aes-i586.

I do have a questiong though, how does luks encryption impact the performance on the average desktop pc if the whole installation (not boot) is encrypted? And by performance I mean normal desktop activity like surfing the web, e-mails, the odd video playback, openoffice, and the odd opengl game. I read some benchmarking articles about this and the main difference in performance between an encrypted vs. non-encrypted system is (obviously) reading/writing from/to the filesystem, but how this effectively impacts the applications mentioned above is unfortunately beyond me, so I would be very grateful for all Your input on the subject.

I have been trying to install on lvm partitions and it continuously fails on the chroot command. Just can't see how all these ubuntu and mint linux howto's can chroot to an empty environment and it just works without a shell in the chrooted environment???

Ok, the one post mentions that you do the chroot during the install and not in the live cd environment, now it works fine If I still had the link I would reference it here as this guy was really good at giving a thorough description of how things are done.

It would really be nice if we had an Alternate Install disk, as in Kubuntu/Ubuntu. Using the Alternate Install disk, full disk encryption has worked beautifully for me using this guide. Never been difficult at all:

I followed the guide word for word from a USB drive with Helena live boot. I start up the computer and there is just a cursor blinking on the upper left of the screen. Any ideas on why it isn't booting?I have an extended partition with 10GB root, 12GB not used, and 124 GB home partition, all three are encrypted.

Strangely everytime I try to umount /dev/root/ at the end it says the drive is busy. Each time I just restarted anyway.

A caveat in case others run into a problem i had with update-initramfs in step 11. Once you have chrooted into your new environtment and are making edits to /etc/crypttab and /etc/fstab in step 10, the names you picked back in step 5 are still relavent. If these names differ update-initramfs will fail and you most likely will not be able to boot your new system.

@alwynChrooting to the newly installed system should happen after you have installed mint and mounted your new filesystem under /mnt, at this point there is an environtment to chroot to.

@gtech The failure to boot with just a cursor blinking sounds like grub didn't install properly, perhaps to the wrong device, or not at all. Check those settings in wuying_ren's guide under step 7. Second, the busy message you get trying to umount /mnt/root is because /proc, /sys, and /dev/pts are still mounted inside your chrooted environment. Before exiting chroot, umount those 3 and then exit to umount /mnt/root. There should be no message.

OK guys, all of this is very good and interesting but at first, why have a " whole system encrypted"? I don't guess here there are some people who administer one or more Linux servers for the NSA, the Army, the Department of Defense or something like that, neither a server database for a Swiss bank... Just simple guys with a personal computer for their simple usage... So, a " whole system encrypted"? Why? For the fun or the curiosity if you want, maybe, but that's all. It's like SELinux and other things like that, no need.

K.I.S.S. ===> "Keep It Simple, Stupid""Simplicity is the ultimate sophistication." (Leonardo da Vinci)"Everything should be made as simple as possible, but no simpler." (Albert Einstein)